A tale of disappearing items, late authenticators, and few concrete answers.

When I first heard that a number of Diablo III players were complaining loudly that their Battle.net accounts were being hacked, and their in-game items and gold stolen wholesale, I assumed that it was a relatively small problem being blown up in traditional Internet message board fashion. I generally accepted Blizzard's official statement that the "extremely small" number of complaints they had received were mainly the result of standard social engineering hacks like hidden keyloggers and phishing scams.

Then I logged in to my Diablo III account earlier today and found that I had become one of those careless victims, my character stripped bare and my gold balance drained.

It's not even like I was a prime target for an attack. My level 14 Demon Hunter wasn't exactly festooned with high-end weaponry and armor, thanks to a play schedule limited heavily by recent travel and E3 preparations. But still, I was somewhat proud of the magical crossbow and relatively hefty shield I had mustered up, as well as a decent set of armor mostly purchased from an upgraded blacksmith. Now, all those items were gone, except for, oddly enough, a Superior Belt with an armor rating of 34 that was still wrapped around my waist. I still had all my level 14 abilities and statistics, as well as my quest progress. But without my gear and gold, I felt like I was starting over from scratch.

After putting in a call to Blizzard support and being warned of a 40-minute estimated wait time, I took the prerecorded hold voice's advice and scanned my computer for viruses. After AVG Free and Malwarebytes both confirmed my system was clean, I changed my password just to be on the safe side. This required logging in using the mobile authenticator that I had signed up for last Friday, a precaution I took after first hearing about the hacking complaints, figuring it was better to be safe than sorry.

After spending an hour on hold, a chipper Blizzard account representative came on the line and asked for my first and last name and e-mail address. I explained the problem of the missing loot, and he assured me that he'd probably be able to help me.

He brought up my account and explained that the restoration process for Diablo III was slightly different from that for World of Warcraft. He couldn't simply give me back the items and gold I had lost, he said, but he could perform a full account rollback to one of a number of server snapshots that are taken every 24 hours or so. This would eliminate any game progress I had made since the snapshot was taken, which wasn't a practical issue for me because I hadn't actually played the game after I discovered all my stuff was missing.

The last such snapshot that Blizzard had on file for my account was from Wednesday, May 23rd, showing me with a full set of gear and just shy of 4,000 gold. I was relatively sure that I hadn't logged into the game that day, but after a week's time had passed, I can't really be sure. In any case, it leaves a small window between the last time I was confirmed to have my gear and the time I installed the mobile authenticator on Friday in which I could have been hacked. Guess I shouldn't have put off increasing my security for so long (I didn't actually check the status of my Diablo III gear on Friday, using the Web interface to sign up for and test the authenticator).

When I pressed the rep for any details on how this account compromise might have happened, he said there was no way to be sure, and gave me the same old song and dance about keyloggers and viruses being the primary culprits. When I asked if he could go in and track what had happened to my loot and when, he apologized and said the only records he had access to were ones that showed when my account had been accessed. This seems like a pretty limited virtual crime-scene investigation tool, considering this problem happened in a game in which every player is online and every action, authorized or not, is presumably logged on a server somewhere. Then again, it's possible the capability exists, but the information is provided on a strict need-to-know basis to protect my privacy.

What's more, he admitted that there was a current issue with Blizzard's systems that was stopping him from seeing certain logins from other locations in his records. "So it could be a case like that where the account was logged into from somewhere else and we just can't see it," he said. When I brought up my recently activated mobile authenticator, he said that the compromise must have happened just before I set it up, and that the two-step verification system was "not 100 percent secure, but one of the most secure methods of protecting your account."

From that point, actually getting my loot back was a relatively painless process. The phone rep directed me to a Blizzard tech support web page where I could submit a ticket with a special keyword that would bump me into a priority queue for account restoration. He warned me that all Battle.net accounts are limited to two such rollbacks over the lifetime of the game, and so warned me to be extra careful with my account details from here on out. Within a half-hour of hanging up, my account was restored and my character was again standing in full regalia, ready to take on the demonic hordes.

It wasn't until I had been through this entire process, and I was talking about potential security threats with an expert, that I realized that my password security might not have been as airtight as I thought. The password I've been using for my Battle.net account was the same one I used to use on services such as Twitter and PSN before they were potentially compromised through well-publicized hacking scandals. I've updated most of my crucial accounts with much more secure, unique passwords since then, but I'd forgotten to change my Battle.net password in that time (and simply forgot that the old password was in any way insecure).

This seems like the most likely security hole, in hindsight, and one that could have been easily closed had I been more vigilant, or quicker to sign up for Blizzard's two-step authentication service (a measure, it should be noted, that's more secure than those offered by most banks). Still, I'll probably never be completely sure how I briefly lost all my progress in Diablo III, and the whole affair has made me quite a bit more paranoid about my computer security. I can only hope that the experience serves as a cautionary tale for me and others going forward.

After this, if you get a phishing email to blah@gmail.com you know it didn't come from bnet.

Furthermore take this many steps farther and every site you have an account with, set your email to blah+randomsite@gmail.com so you can easily filter all sites by you rincoming email address.

*cough* I use this on many sites, but I haven't tried with bnet, bnet may not allow + signs in email addresses. I've ran into a rare site that doesnt. So if it doesn't work with bnet. sorry. I'm feeling lazy and dont feel like testing me theory atm.

As somebody working at a big search engine I can tell you that while we do store queries the only people in a position to even possibly see them (insanely unlikely for such a tail query) are completely uninterested in your Diablo 3 lootz, or even looking around for this kind of stuff.

I thought the original suggestion was a pretty good one actually, the potential for somebody working at $bigengine to first find and then care about your query is insanely low. Don't be *too* paranoid.

As somebody working at a big search engine I can tell you that while we do store queries the only people in a position to even possibly see them (insanely unlikely for such a tail query) are completely uninterested in your Diablo 3 lootz, or even looking around for this kind of stuff.

I thought the original suggestion was a pretty good one actually, the potential for somebody working at $bigengine to first find and then care about your query is insanely low. Don't be *too* paranoid.

The bigger issue IMO is that some search engines store the history to be user accessible, meaning that if someone gets their computer or search engine account hacked and they check this history, they now have a password list.

Several years ago, when my significant other's WoW account got hacked, we bought a pair of Blizzard security authenticator fobs for WoW. They were relatively new at the time and lots of people were complaining that Blizzard was trying to cash in on the hacking drama. But seriously, these things were like $6 a piece, which is a lot cheaper than the VPN fob I had for work which was about $40. Seemed to me Blizzard was selling those things at or near cost.

Anyways, we have never been hacked since. Starcraft 2 and Diablo III came along later and our fobs work just fine with those games, too. Just gotta make sure we don't lose the darned things.

After this, if you get a phishing email to blah@gmail.com you know it didn't come from bnet.

Furthermore take this many steps farther and every site you have an account with, set your email to blah+randomsite@gmail.com so you can easily filter all sites by you rincoming email address.

*cough* I use this on many sites, but I haven't tried with bnet, bnet may not allow + signs in email addresses. I've ran into a rare site that doesnt. So if it doesn't work with bnet. sorry. I'm feeling lazy and dont feel like testing me theory atm.

I use the spamgourmet online service for this kind of thing. If you create an account with spamgourmet, with username blah and give them your real email address then you can create a bunch of temporary email addresses, such as bnet.blah@spamgourment.com or bliz.blah@spamgourmet.com. You can also choose a variety of other domain names through the same service. By default, 3 emails to your temporary address will be forwarded to your real email address and after that everything is deleted unread. You can also change the count though and you can whitelist senders or whole domains so that they don't count against that limit. It's a very useful service and anyone interested is encouraged to check them out at www.spamgourmet.com

Of course, my password is as long as Blizzard will allow, unique, and random; password wallets ftw.

They really need to allow you to make longer passwords. My steam account password for example has such a long cap that I can type a full sentence for a password.

It's highly unlikely they are brute-forcing the passwords, more likely it's phishing schemes or trying a set of passwords stolen from somewhere else where people have used the same username/password combo. From what I've read it appears that there is a login throttling mechanism -- it only allows so many logins per time period (minute, hour, not entirely sure)

If you have a decent alpha-numeric password, try googling it every once and a while and see if it shows up on a hash cracking site.

Scary. Found a 10-digit alphanumeric password I used to use a few years ago, showing up on at least 4 different sites publishing MD5 hashes. It's unique enough I'd be surprised if it's not mine. This was a password I used to use before I began using a process that creates a unique password per domain, but still... an uncomfortable reality check!

Ceasar please fucking get Ben back , pay him more or whatever , this guy is just no good. Nothing personal Kyle.

I don't want to take sides, but let me help you out, Matisaro. He seems to be doing pretty good work over here. http://penny-arcade.com/report/ It's not like he left Ars without leaving a forwarding address.

Well i thought what he mentione about the possibility that sessions keys were being robbed was interesting.I dont know much about the IT side of things, but could that be a possibility?I signed up for that authenticator a few days ago when i first read about the hackings. Annoying stuff it has to be said!

There is a video of this on youtube. They can hack anyone. It's a bug that's being exploited. Your authenticator will do nothing.

I think the vids been taken down. But I saw it. Was legit.

It's not weak passwordsIt's a hack to do with your stash.

Please don't spread false rumors.

I don't believe for a minute the video was real, and the fact you thought it was real, means you will pretty much believe anything you are told.

sandain wrote:

The real problem here is that Battle.net passwords are not secure by design, they are not case sensitive. Go ahead and give it a try. This needs to change Blizzard!

A 12 character password with 46 different possible characters that can be used has billions of possible combinations. A 12 character password with 72 different possible characters that can be used has tens of billions of possible combinations.

Both would take a hacker more time then 3 generations of their family will be alived to guess ( in theory ). Blizzard locks your account affter several invalid attempts to access your account ( you have to call them to unlock it ). In addition it is much easier to simply know the password and log into the account like what happen to the author of this story.

The one problem with using an authenticator on a smartphone... is that if you lose (or Apple replaces) your iPhone, you can't deauthenticate the old phone except through a convoluted process requiring a ticketed response and scanned Photo ID via blizzard support. Which in my recent and current experience (having just had my iPhone replaced by Apple) takes around 48 hours to get a response.

The one problem with using an authenticator on a smartphone... is that if you lose (or Apple replaces) your iPhone, you can't deauthenticate the old phone except through a convoluted process requiring a ticketed response and scanned Photo ID via blizzard support. Which in my recent and current experience (having just had my iPhone replaced by Apple) takes around 48 hours to get a response.

So... no Battle.net-requiring games for 48 hours.

If you follow the instructions when setting up the authenticator, it quite clearly tells you to record the Serial number and your Restore number.You can reset your authenticator with both pieces of information.

After this, if you get a phishing email to blah@gmail.com you know it didn't come from bnet.

Furthermore take this many steps farther and every site you have an account with, set your email to blah+randomsite@gmail.com so you can easily filter all sites by you rincoming email address.

*cough* I use this on many sites, but I haven't tried with bnet, bnet may not allow + signs in email addresses. I've ran into a rare site that doesnt. So if it doesn't work with bnet. sorry. I'm feeling lazy and dont feel like testing me theory atm.

Not really sure what this is supposed to do though. I'd have thought anyone that can do this would 1) already have spam filters that got rid of phishing emails and/or 2) would be able to identify phishing emails anyway.

Would you really 100% trust an email from Blizzard just because it came to your blah+bnet@gmail.com account?

A 12 character password with 46 different possible characters that can be used has billions of possible combinations. A 12 character password with 72 different possible characters that can be used has tens of billions of possible combinations.

I've only read the first 1.5 pages, but I am suprised no one yet has said the first thought that came to my mind: "THIS IS WHY IT IS RETARDED TO HAVE PLAYERS OF SINGLE PLAYER GAMES LOG INTO BATTLE.NET"!!!!!

Not only are people with no intention of playing online locked out like everyone else when the servers are down, but people who were forced to sign up a battle.net account who used a quick easy username/password because they had no intention of actually playing multiplayer online are vulnerable to getting hacked and losing their stuff anyway!

This is why I have not and have no intention of buying Diablo 3 no matter how much I love demon-stomping unless and until they offer a way to decouple single player accounts from battle.net. I'll stick with Torchlight and hell even Diablo 2.

The password I've been using for my Battle.net account was the same one I used to use on services such as Twitter and PSN

This is the most important piece of the entire thing. People, stop doing this. It shouldn't even have to be a thought, do not re-use the same password for different things.

That's like saying that your passwords should be twelve characters, include as many symbols as alphanumerics and numbers, and should be changed every two months. If you include too much password "security", you actually end up decreasing security.

Once again a game manufacturer wants everything for a nothing product. Why, you say let me see you cant play it stand alone, you cant play on a LAN, you cant play without internet, you cant play without the servers being up, NO SECURITY AT ALL, if you want security (Authenticator) of course you pay more money. See what I mean everything for nothing. Needless to say I AM OFFICIALLY a D3 HATER. I will not buy it unless it's patched to play stand alone. If I pay 60 bucks for a game then it BETTER DAMN WELL BE MINE and I should be able to play it NO MATTER WHAT.

As a Demon Hunter player, I'd recommend swapping that shield out for another Hand Crossbow or get a 2H bow/x-bow with a quiver. Demon Hunters should not be getting hit often enough to warrant a shield, especially in Normal. Learn those kiting skills if you plan on playing the higher difficulty levels!

Once again a game manufacturer wants everything for a nothing product. Why, you say let me see you cant play it stand alone, you cant play on a LAN, you cant play without internet, you cant play without the servers being up, NO SECURITY AT ALL, if you want security (Authenticator) of course you pay more money. See what I mean everything for nothing. Needless to say I AM OFFICIALLY a D3 HATER. I will not buy it unless it's patched to play stand alone. If I pay 60 bucks for a game then it BETTER DAMN WELL BE MINE and I should be able to play it NO MATTER WHAT.

You mean that authenticator that you can download to a phone for free or even just authenticate via text message? Total cost: free, so long as you aren't paying a bunch for texts if you go the text route The Authenticator is being sold for $6. Considering most jobs that have similar authenticators charge you $80 if you lose it and it needs replaced, Blizz is getting a MAJOR cost reduction due to volume. Blizzard is basically selling these things for cost and possibly losing money on them.

D3 is an online game only. STFU about it already. They didn't change their mind in the last 10 months since the announcement, they aren't changing anytime soon and no one gives a shit if you aren't buying the game. You aren't that special.

D3 is an online game only. STFU about it already. They didn't change their mind in the last 10 months since the announcement, they aren't changing anytime soon and no one gives a shit if you aren't buying the game. You aren't that special.

I think you should stfu about telling people to stfu. No one gives a shit that you don't give a shit that he isn't buying the game. You aren't that special.

This is a message board. People come here to post positive and negative things. People get to say things you don't agree with. You're not the administrator, and you don't speak for everyone, as much as you might like to think otherwise. People get to say things you don't like hearing. Learn to deal with it.

After this, if you get a phishing email to blah@gmail.com you know it didn't come from bnet.

Furthermore take this many steps farther and every site you have an account with, set your email to blah+randomsite@gmail.com so you can easily filter all sites by you rincoming email address.

*cough* I use this on many sites, but I haven't tried with bnet, bnet may not allow + signs in email addresses. I've ran into a rare site that doesnt. So if it doesn't work with bnet. sorry. I'm feeling lazy and dont feel like testing me theory atm.

This is a nice solution had you not involved free email hosting. Anyone can break into your primary account at any point by brute force or exploit.

You want to have security and tracking, grab your own domain and just have all email from unknown usernames forwarded to a primary email address. No need to setup individual alias per site, just make a rule for your primary email address to go to one folder and other addresses to other folders.

Using Amazon or another virtual host cloud provider, it would probably only cost you $30-40 a year and that includes the domain renewal.

Add on extra security like secure SMTP, personal certificate, etc., and no one will be breaking into your email unless you've angered someone smarter than you.

I've only read the first 1.5 pages, but I am suprised no one yet has said the first thought that came to my mind: "THIS IS WHY IT IS RETARDED TO HAVE PLAYERS OF SINGLE PLAYER GAMES LOG INTO BATTLE.NET"!!!!!

Not only are people with no intention of playing online locked out like everyone else when the servers are down, but people who were forced to sign up a battle.net account who used a quick easy username/password because they had no intention of actually playing multiplayer online are vulnerable to getting hacked and losing their stuff anyway!

This is why I have not and have no intention of buying Diablo 3 no matter how much I love demon-stomping unless and until they offer a way to decouple single player accounts from battle.net. I'll stick with Torchlight and hell even Diablo 2.

/golf clap Blizactivision, greed bites you in the ass, folks.

Considering the sales figures I don't think they got bit in the ass and obviously the holdouts haven't impacted sales in the slightest. As for having to log in to play a single player game...do you ever use Steam? If your Steam account gets 'hacked' your ability to play Steam games suffers the same fate.

As a Demon Hunter player, I'd recommend swapping that shield out for another Hand Crossbow or get a 2H bow/x-bow with a quiver. Demon Hunters should not be getting hit often enough to warrant a shield, especially in Normal. Learn those kiting skills if you plan on playing the higher difficulty levels!

D3 is an online game only. STFU about it already. They didn't change their mind in the last 10 months since the announcement, they aren't changing anytime soon and no one gives a shit if you aren't buying the game. You aren't that special.

I think you should stfu about telling people to stfu. No one gives a shit that you don't give a shit that he isn't buying the game. You aren't that special.

This is a message board. People come here to post positive and negative things. People get to say things you don't agree with. You're not the administrator, and you don't speak for everyone, as much as you might like to think otherwise. People get to say things you don't like hearing. Learn to deal with it.

To chime in: I don't give a shit that you don't give a shit that he doesn't give a shit.

I don't think the authenticator is worth the hassle. I actually bought and shared one with my wife for SWTOR, but Bioware was smart in providing in-game incentive to actually use the damn thing. Since I get two rollbacks, I'll worry about getting an authenticator if against all odds my account is compromised. As others have pointed out, it is more secure than many financial institutions (not mine), but ultimately, it's just a game.

Out of curiosity, does Blizzard allow sharing a key on more than one account? I doubt I can even use the app on my work-provided Blackberry, and the thought of having to buy two isn't very appealing.

I actually had this shit attempted while online and playing. Got kicked out because someone else logged into my account. Immediately logged back in and was kicked off 2 minutes later. Tried to log in and my password was changed.

But I managed to go do a password reset and kick the prick out before he got rid of my stuff. Wound up doing 4 password resets and changing the password for my email too. Saved all my stuff

The bigger issue IMO is that some search engines store the history to be user accessible, meaning that if someone gets their computer or search engine account hacked and they check this history, they now have a password list.

Both would take a hacker more time then 3 generations of their family will be alived to guess ( in theory ). Blizzard locks your account affter several invalid attempts to access your account ( you have to call them to unlock it ). In addition it is much easier to simply know the password and log into the account like what happen to the author of this story.

That's what I hope, in which case standard password security should be protecting people and there is no reason whatsoever for using an authenticator. It should be impossible to brute-force a password for an online service through millions/billions of login attempts. Unfortunately I haven't seen any confirmation from Blizzard of what exactly their policies actually are, but one would hope they aren't so incompetent as to allow unlimited login attempts. Then again, one would have hoped that they would have come out of the gates with better security in place (confirmation emails when connecting from new computer/location would be a good start) when they knew (or should have known) that the game was going to be a major target.

Diablo 2 accounts were compromised. Even if Diablo 3 did not require a persistant online connection the author's account unless he played in this "offline mode" would have been compromised.

My Diablo 2 characters were never in danger of being compromised, because they were all stored locally on my hard drive. Never played once on battle.net, yet somehow managed to have fun playing with friends across the country without issues and with no fear of losing progress to someone hacking my account. Funny how we seem to have gone backwards in that respect in the intervening ten years.

Before everyone jumps in to say that they're sick of hearing from people who don't like the always-online aspect; I know. I don't care. I still bought the game and I like it, I know why they went this route, but I'm going to keep complaining about it as long as it is relevant (especially when they do really dumb things like automatically log you in to a general chat channel so you can "enjoy" the idiocy of your fellow players when all you wanted to do was kill some demons in peace for a few minutes).

He warned me that all Battle.net accounts are limited to two such rollbacks over the lifetime of the game

I saw this mentioned just once and I'm surprised more people haven't spoken up about this.

Blizzard has required online play for single player because (their argument) "it makes a better experience" or (most everyone else's argument) "DRM and they can make more money with the cash auctions".

Whichever way you look at it, this is a HUGE HUGE problem.

Basically what they're saying is after your first two hacks, you're hosed. Even if you never play with other people. Even if you don't have a single friend on battle.net. If you only ever play single player, and put up with their requirement to be constantly connected to a server, someone else can come in and ruin your game. If you follow their reasoning, it doesn't make for a good experience. If you go with what most everyone else is saying, it means the DRM has gone from "annoying" to "actively hurting the paying customer".

And if it happens three times, they'll tell you "sorry, you've used your only two rollbacks allowed."

Kyle, let me ask you this:

knowing that you have only one remaining rollback allowed, for the life of the game, what happens if your account is accessed next week and you need another rollback? Are you going to ask for it? Or are you just going to suck it up and say "well, I'm only level 17, I'll just change my password and start from scratch with the gear. I should save that rollback for when I'm level 60. Or for three years from now after an expansion comes out."

Because it seems to me that neither of those options is a good one, and this is ANOTHER situation that could be averted by allowing offline play without any kind of server connection.

Diablo II's methods weren't broken. You had single player and open multiplayer, where there might have been hacking and all that crap. Then there was the multiplayer on battle.net which stored characters for you and that Blizzard could monitor. I see no reason they couldn't have just implemented this in D3. I'd prefer it if they'd just come out and say "well, we want money from auctions, that's why."

I've been going back and forth on buying a copy of D3 since the week before release, and things like this are pushing me further and further into the "don't buy" camp. I'd like to get in on the "click click click click loot loot click click run loot" action, and play with some of my friends, but there are other games I can play to do that, and those games don't have the same ridiculous "always online" requirement.

And another thing - what the hell are hackers doing with the loot? Selling it for gold? So they can sell gold? For a game that will be dealing in actual currencies in like a month? Are people actually buying gold for this game already?

Kyle Orland / Kyle is the Senior Gaming Editor at Ars Technica, specializing in video game hardware and software. He has journalism and computer science degrees from University of Maryland. He is based in the Washington, DC area.